USHIFT-6983: Drop optional components from tuned CI images

[pacevedom]

The tuned containerfiles inherited from the optional base image, which installed OLM, Istio, cert-manager, SR-IOV, and other optional components. None of the 3 scenarios using this image test optionals, but those components generated 58% of the slow etcd requests during startup on CPU-constrained ARM64 VMs (TuneD isolates most CPUs, leaving only 2 for system services). This etcd pressure contributes to PodSecurity admission timeouts that crash MicroShift on restart.

Make the tuned containerfiles self-contained: inherit from test-agent, install only core MicroShift + microshift-low-latency, and configure firewall directly. This eliminates the optional component overhead without affecting any other image consumers.

Summary by CodeRabbit

• Chores
  • Updated test container images to install MicroShift packages (including low-latency variant), enable MicroShift services, and include RPM repo handling for offline installs.
  • Added explicit offline firewall configuration opening required SSH/HTTP/HTTPS/DNS/Kubernetes API and NodePort ports.
  • CI now forces rebuilds of tuned bootc images for EL9/EL10 group2 to ensure these updates are applied.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6983 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

The tuned containerfiles inherited from the optional base image, which installed OLM, Istio, cert-manager, SR-IOV, and other optional components. None of the 3 scenarios using this image test optionals, but those components generated 58% of the slow etcd requests during startup on CPU-constrained ARM64 VMs (TuneD isolates most CPUs, leaving only 2 for system services). This etcd pressure contributes to PodSecurity admission timeouts that crash MicroShift on restart.

Make the tuned containerfiles self-contained: inherit from test-agent, install only core MicroShift + microshift-low-latency, and configure firewall directly. This eliminates the optional component overhead without affecting any other image consumers.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Two RHEL bootc test container images (EL10 rhel102 and EL9 rhel98) switch to test-agent bases, add templated RPM-repo copying and MicroShift RPM installs, enable MicroShift services, apply offline firewall rules, and CI now forces group2 tuned image rebuilds.

Changes

MicroShift Test Container Updates

Layer / File(s)	Summary
EL10 containerfile: base, repo copy, install, firewall test/image-blueprints-bootc/el10/layer4-release/group2/rhel102-bootc-brew-lrel-tuned.containerfile	Base image switched to localhost/rhel102-test-agent:latest; build args and COPY add RPM repo and .repo files; DNF installs MicroShift RPMs (templated by MICROSHIFT_MANDATORY_RPMS and BREW_LREL_RELEASE_VERSION), enables services, cleans repos, and applies firewall-offline-cmd rules.
EL9 containerfile: base, repo copy, install, firewall test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-tuned.containerfile	Base image switched to rhel98-test-agent; templated build args/COPY of RPM repo and .repo files; DNF installs MicroShift RPMs and deps, enables services, removes repo artifacts, cleans DNF, and applies firewall-offline-cmd rules including NodePort TCP/UDP ranges.
CI: force rebuild group2 tuned images test/bin/ci_phase_iso_build.sh	run_bootc_image_build path now calls build_bootc_images.sh -f -g .../group2 for EL9 and EL10 to force rebuilding the layer4-release tuned group2 images before early return.

Sequence Diagram(s)

sequenceDiagram
  participant ComponentA
  participant ComponentB
  ComponentA->>ComponentB: observable interaction

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/microshift#6753: touches the same tuned bootc image build and group2 rebuild flow used by tests.

Suggested reviewers

• vanhalenar
• eslutsky

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: dropping optional components from tuned CI container images by switching from optional base images to test-agent base.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests; only containerfiles and CI scripts. The check for stable/deterministic test names is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo test files modified in this PR. The changes are containerfiles and CI shell scripts, not test code subject to this check.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; only Containerfile and CI script changes. The custom check applies only to new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to Containerfiles and a CI shell script; no Go test code present.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes are containerfiles and CI scripts, not deployment manifests, operator code, or controllers. No Kubernetes scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies containerfiles and shell scripts, not OTE/Go test binaries. The stdout contract check applies only to Go test code; this PR contains no such code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes are limited to Containerfiles and a bash CI script, not test code.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in modified Containerfiles or CI script.
Container-Privileges	✅ Passed	No privileged containers, elevated capabilities, hostNetwork/PID/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings found. Changes only add package installations and standard firewall configuration.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging detected. Changes only log build paths, package names, firewall rules, and resource configuration—no passwords, tokens, API keys, or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pacevedom]

/test ?

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-release-arm
/test e2e-aws-tests-bootc-release-arm-el10

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@test/image-blueprints-bootc/el10/layer4-release/group2/rhel102-bootc-brew-lrel-tuned.containerfile`:
- Around line 12-14: The COPY instruction currently copies
microshift-fast-datapath-rhel9.repo into the RHEL10 image (see the COPY line
referencing ./bootc-images/microshift-fast-datapath-rhel9.repo and the variable
USHIFT_RPM_REPO_NAME); update the containerfile so it copies the appropriate
RHEL10 fast-datapath repo (e.g., microshift-fast-datapath-rhel10.repo) or, if
using the RHEL9 repo is intentional, add a brief comment above the COPY
explaining why the RHEL9 repo is valid for this RHEL10 image and ensure the repo
file name/contents and USHIFT_RPM_REPO_NAME usage reflect that decision.
- Around line 19-23: EL10's RUN instruction installs "openssl" alongside
"firewalld" and "systemd-resolved" to force an OpenSSL upgrade for the
systemd-resolved/systemd bump; align the EL9 containerfile to match by adding
"openssl" to its dnf install line (and the same explanatory comment) or, if EL9
is intentionally different, add a clear comment in the EL9 containerfile
explaining why the OpenSSL workaround is not needed; update the RUN/dnf install
invocation that currently contains "firewalld systemd-resolved" to include
"openssl" (and mirror the repoinfo/install pattern) or add the justification
comment so the discrepancy is documented.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c11db495-55f5-441d-84ed-0ec1c1e89821

📥 Commits

Reviewing files that changed from the base of the PR and between 8161288 and f3b0e25.

📒 Files selected for processing (2)

• test/image-blueprints-bootc/el10/layer4-release/group2/rhel102-bootc-brew-lrel-tuned.containerfile
• test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-tuned.containerfile

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/bin/ci_phase_iso_build.sh`:
- Around line 128-130: This TEMP forced-rebuild block using $(dry_run) bash -x
./bin/build_bootc_images.sh -f -g
./image-blueprints-bootc/el9/layer4-release/group2 and the el10 equivalent must
be removed before merge; while it exists, change it to (1) gate the invocation
by the job OS so an arm-el9 job does not also trigger the el10 build (use
whatever job OS/env variable is available in the script to conditionally run the
el9 vs el10 call), and (2) avoid rebuilding the whole group by invoking
build_bootc_images.sh in a mode that only rebuilds changed containerfiles (or
pass a list of changed blueprints) instead of -g .../group2; keep the $(dry_run)
behavior intact while testing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: adc343f4-f933-45e8-af05-6a16ad2a85e3

📥 Commits

Reviewing files that changed from the base of the PR and between f3b0e25 and 5e69f56.

📒 Files selected for processing (1)

• test/bin/ci_phase_iso_build.sh

[pacevedom]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[ggiguash]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash, pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ggiguash,pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pacevedom]

/verified by CI

[openshift-ci-robot]

@pacevedom: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pacevedom]

/override ci/prow/e2e-aws-tests-bootc-release-arm-el9
/override ci/prow/e2e-aws-tests-bootc-release-arm-el10

[pacevedom]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@pacevedom: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@pacevedom: Overrode contexts on behalf of pacevedom: ci/prow/e2e-aws-tests-bootc-release-arm-el10, ci/prow/e2e-aws-tests-bootc-release-arm-el9

Details

In response to this:

/override ci/prow/e2e-aws-tests-bootc-release-arm-el9
/override ci/prow/e2e-aws-tests-bootc-release-arm-el10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@pacevedom: new pull request created: #6791

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.